Alibaba Cloud Service Mesh:Historical release notes (before 2023)

Added Adaptive xDS optimization: Automatically generates sidecar configurations based on access log analysis of service call dependencies. Reduces unnecessary configuration pushes from the control plane to the data plane. Requires Istio 1.15 or later. Enterprise and Ultimate editions.

Added Custom authorization service for ingress gateways: Configures custom authorization at the ingress gateway level in a few steps, enhancing ingress gateway security capabilities. Requires Istio 1.15 or later. Enterprise and Ultimate editions.

Added SLO-based observability: Configures service level objectives (SLOs) for applications. Automatically generates a Prometheus rule that you can import to the Prometheus system for the SLOs to take effect. Requires Istio 1.15 or later. Enterprise and Ultimate editions. See also SLO overview.

Updated OPA to version 0.46.1: Upgrades Open Policy Agent (OPA) with additional features. Requires Istio 1.15 or later.

Added Istio 1.15.x support with Kubernetes 1.21 through 1.25 compatibility.

Added Ingress gateway whitelist and blacklist: Accepts or rejects requests based on IP address, HTTP domain, or port. Requires Istio 1.15 or later. Enterprise and Ultimate editions.

Added TPROXY mode for inbound traffic interception: Uses transparent proxying to preserve source IP addresses and port numbers. Configurable at global, namespace, and workload levels. Requires Istio 1.15 or later. Enterprise and Ultimate editions.

Added TLS version configuration for ingress gateways: Disables TLS versions earlier than V1.2 on ingress gateways to enhance security. Requires Istio 1.14 or later. Enterprise and Ultimate editions.

Added Advanced features for Managed Service for OpenTelemetry, including sampling percentage and application tags. Requires Istio 1.15 or later.

Added SLO generation for applications: Automatically generates SLOs and alert rules based on monitoring metrics. Requires Istio 1.15 or later. Enterprise and Ultimate editions.

Added CNI plug-in: Redirects pod traffic through the Container Network Interface (CNI) plug-in, removing the need for iptables rules in each pod and elevated RBAC permissions. Requires Istio 1.14 or later. Enterprise and Ultimate editions.

Added Selective service discovery: Limits the control plane to discovering and processing applications only in specified data-plane namespaces, reducing unnecessary configuration pushes. Requires Istio 1.14 or later.

Added Lane mode for traffic isolation: Isolates traffic flow from the ingress gateway to different services, facilitating the release of multiple services and parallel development of multiple service versions. Requires Istio 1.14 or later. Enterprise and Ultimate editions.

Improved Mesh Topology: Displays workload status and call topology with enhanced detail.

Added Throttling metrics observability: Collects and displays throttling metrics after local throttling is configured. Requires Istio 1.14 or later. Enterprise and Ultimate editions.

Added ASM security policies: Provides a unified security policy framework for access control, including SSO through OIDC and JWT authentication. Requires Istio 1.14 or later. Enterprise and Ultimate editions.

Added Trial run of security policies: Tests authorization policies in trial mode before enforcement. Requires Istio 1.14 or later.

Added ACK edge cluster management: Manages applications in Container Service for Kubernetes (ACK) edge clusters added to ASM. Requires Istio 1.14 or later. Enterprise and Ultimate editions.

Added Competence Center: A page in the ASM console that provides an overview of features available for integration with ASM.

Improved Sidecar proxy management: Adds lifecycle configuration options and unifies the configuration interface at both namespace and workload levels.

Added Instance warm-up: Gives new instances time to initialize before receiving full traffic, preventing overload during startup. Requires Istio 1.14 or later. Enterprise and Ultimate editions.

Added OIDC-based SSO: Supports OpenID Connect (OIDC) for single sign-on through external identity providers. Alibaba Cloud IDaaS and self-managed identity services are supported. Requires Istio 1.13 or later. See also Integrate Keycloak with ASM to implement SSO.

Added Multiple JWT algorithms: Allows ASM administrators to choose among different JSON Web Token (JWT) algorithms for request authentication. Requires Istio 1.13 or later.

Added Trial run of security policies: Tests authorization policies before enforcement. Requires Istio 1.14 or later.

Added Latency-related parameters in access logs: Editable access log format supports latency-related parameters for latency analysis.

Added Istio 1.14.x support with Kubernetes 1.21 through 1.25 compatibility.

Added Plug-in marketplace: Provides out-of-the-box plug-ins for customizing Envoy filters without writing code. See also Envoy filter templates.

Improved Mesh diagnostics with enhanced troubleshooting efficiency.

Improved Third-party token compatibility with ACK clusters for improved workload security.

Added Intra-zone Provider First: Routes traffic to service providers in the same zone first, reducing latency without code changes. Requires Istio 1.13 or later. Enterprise and Ultimate editions.

Added Route-level circuit breaking: Configures circuit breaking at the route level for finer-grained traffic control. Requires Istio 1.13 or later. Enterprise and Ultimate editions.

Improved Mesh Topology rendering with multi-dimensional views of the call topology between application services.

Added Philippines (Manila) region. See Supported regions.

Added Istio 1.13.x support. Standard, Enterprise, and Ultimate editions.

Added Canary release of the Istio control plane [Canary]: Provides a smoother alternative to in-place updates, with rollback support. Enterprise and Ultimate editions.

Added Integration with Alibaba Cloud Identity as a Service (IDaaS) and Keycloak for external authorization and SSO through OIDC.

Added SDK for Java and SDK for Go: Manage Istio resources programmatically. Standard, Enterprise, and Ultimate editions. See ASM SDK overview.

Added Istio 1.13.4 support [Canary].

Improved Local throttling with support for custom headers and response body.

Added getHeader(key) configuration through TrafficLabel CRDs, allowing traffic labels to be obtained from request headers based on custom header keys.

Added Regular expression support for matching rules of secondary virtual services.

Added Integration with Argo CD, Argo Rollouts, Apsara DevOps, and Flagger for blue-green and canary releases of application services through GitOps workflows.

Added KServe-based AI services: Deploys serverless inference workloads with auto scaling, blue-green and canary releases for model services, and concurrency-based intelligent routing.

Added ALB integration through ingress gateways: Uses Application Load Balancer (ALB) alongside ASM ingress gateways.

Added Knative support: Installs and uses Knative components for serverless containers and traffic-based auto scaling without maintaining a separate Istio installation.

Improved One-click enablement for Mesh Topology, Prometheus monitoring, log center, and log dashboard features. Displays an error message if a status error occurs.

Added Synchronization of namespaces and tags from ACK clusters to global namespaces, enabling two-way synchronization between ASM and ACK clusters.

Added Istio 1.12.4 support with a service management module for managing services and configuring policies.

Added Terraform support: Creates and updates ASM instances and grants permissions to RAM users through Terraform.

Added CNI plug-in: Configures pod traffic redirection during the pod network setup phase, removing the need for init containers with NET_ADMIN capability.

Added Sidecar proxy configuration through annotations: Configures sidecar proxies by adding resource annotations at global, namespace, and workload levels.

Improved Mesh Topology: Monitors service behavior through a topology-based GUI.

Improved Mesh diagnostics with enhanced diagnostic capabilities.

Added Commercial editions released on April 1, 2022: Enterprise Edition and Ultimate Edition. See Billing rules.

Added Envoy filter marketplace: Binds Envoy filter templates to workloads for custom Envoy filter extensions.

Added EIP association for the API server: Associates or disassociates an Elastic IP Address (EIP) with the internal-facing CLB instance of the API server to generate a public endpoint.

Improved O&M capabilities: The ASM console detects alert rules configured for the CLB instance exposing Istio Pilot and provides navigation to its monitoring page.

Improved Ingress gateway capabilities: Added support for graceful shutdown of Classic Load Balancer (CLB) connections, IPv6 addresses, certificate management, multiple CLB instances, and source IP retrieval.

Added Traffic routing for ASM gateways: Routes traffic at the gateway level.

Added RAM permission management: Grants fine-grained permissions to RAM users and RAM roles. RBAC roles provide detailed control over mesh management permissions.

Improved External authorization: Headers can be overwritten when access requests pass or fail HTTP-based external authorization.

Added OPA injection scope control: Controls the injection scope of OPA sidecars using the opa-istio-injection namespace label, decoupling OPA from the Istio-proxy automatic injection policy.

Added cert-manager for ASM gateways: Manages certificates for ASM gateways using cert-manager.

Updated Envoy filter marketplace: Added six built-in templates:

• Template that supports Spring Cloud services

• Template that adds the HTTP body to access logs

• Template that retains the case of request and response headers

• Template that sets the allow_connect parameter to true for updated protocol connections

• Template that adds request header information to response headers

• Template that adds HTTP response headers

Added Istio 1.12.x support with Kubernetes 1.22 compatibility.

Added Envoy filter templates: Manages Envoy filters through a plug-in center in the ASM console. Creates filters from pre-built templates.

Added Local throttling: Throttles traffic at gateways and services to protect the system from overload.

Added Istio 1.11.5 support.

Added Three new regions: China (Guangzhou), China (Hohhot), and China (Heyuan).

Improved ASM gateway management: Added gateway detail pages, configuration modification, upstream service association, and traffic policy creation.

Improved ASM Professional Edition: Lossless CLB traffic during gateway replica shutdown and Multi-Buffer for TLS acceleration on supported models.

Added Spring Cloud service management: Manages Spring Cloud services through ASM.

Added Istio 1.10.5 support. Monitoring dashboards for gateways and global mesh status can be added through the Observability Management > Prometheus Monitoring page. Dashboard features require Istio 1.10 or later.

Added Flexible external authorization: Declares external authorization services in meshes and customizes authorization through authorization policies, including gRPC-based authorization.

Added Automatic sidecar recommendation: Recommends sidecar configurations based on access log analysis, so each workload's sidecar only processes traffic for services it depends on.

Added Global and namespace-level sidecar proxies: Configures sidecar proxies at the global or namespace level.

Added Custom metrics: Customizes metrics per ASM instance, namespace, or workload.

Added Multi-Buffer for TLS acceleration: Uses Intel Multi-Buffer to optimize TLS encryption and decryption performance, accelerating encrypted communication between services.

Added Selective service discovery: Configures service discovery selectors to reduce unnecessary configuration pushes from the control plane.

Improved Gateway updates: ASM gateway versions are viewable and manually updatable through the gateway update page in the ASM console.

Improved Log center integrated into the observability management page, providing detailed gateway and data-plane logs.

Added Mesh diagnostics check item: Detects Envoy filters on the control plane that are not provided by ASM.

Added Istio resource version rollback: Rolls back Istio resources to previous versions. ASM stores up to five versions of each resource's spec block.

Added Kubernetes API access to Istio resources: Accesses Istio resources through the Kubernetes API of data-plane clusters.

Improved ASM gateway page: Redesigned the Create ASM Gateways page with gateway type selection and instance count configuration. Added support for the Horizontal Pod Autoscaler (HPA) for ASM Professional Edition instances based on custom metrics including CPU and memory, which is disabled by default. Syntax checking is enabled by default for Istio gateway definitions.

Added Prometheus monitoring integration: Views data-plane service and workload statistics in the ASM console through Managed Service for Prometheus.

Added Control-plane log collection: Collects control-plane logs and configures log-based alerts in Simple Log Service.

Improved Access log collection: Supports creating new projects and using existing projects.

Added Cross-region disaster recovery and load balancing: Routes traffic to multiple clusters based on weights for load balancing, and transfers traffic from faulty regions for disaster recovery. Uses Cloud Enterprise Network (CEN) for cross-VPC communication.

Added asmctl command-line tool: Detects configuration problems in ASM instances. See also Common asmctl commands.

Added OPA policy management in the console: Configures OPA policies through the ASM console.

Added RBAC permission delegation: RAM users can grant each other RBAC permissions.

Added CORS support: Enables cross-origin resource sharing (CORS) through the corsPolicy field in virtual services.

Added Custom access logs: Customizes access log content on the data plane, with the ability to enable or disable the feature.

Improved ASM console: GUI-based destination rule and gateway creation.

Added Zero-trust security capabilities: Supports peer authentication, request authentication, Istio authorization policies, and OPA-based fine-grained access control.

Improved ASM gateways:

• Custom host networks and DNS policies

• Rolling updates in ASM Professional Edition for scaling without interrupting online traffic

• High availability for ASM gateways

• Custom access logs

• Ingress gateway service creation through the Kubernetes API

• Ingress gateway high availability

Updated Mesh Topology to V1.34. Managed Service for Prometheus metrics are now obtained over the internal network. Logstores that collect sidecar proxy logs no longer collect ingress gateway service logs. Observability dashboards display access traffic statistics by top 10 provinces or cities and top visitors by URL or IP address.

Improved ASM console: GUI-based security policy and virtual service creation, custom resources through YAML templates, and an optimized sidecar proxy injection page.

Added Consul integration: Connects ASM to one or more Consul service registries.

Added Dynamic OPA policy updates: Supports dynamic updates of OPA policies to improve the authorization mechanism of Service Mesh.

Added ACK edge cluster governance: Adds ACK edge Kubernetes clusters to ASM instances for unified service governance in edge computing scenarios powered by 5G networks.

Improved Mesh diagnostics: Added five check items:

• Whether the istio-injection parameter matches between data-plane and control-plane namespaces

• Whether a port under 1024 can be used in gateway pods

• Whether the namespace of a destination rule is valid

• Whether the TLS certificate secret type referenced by a gateway is valid

• Whether the TLS certificate secret referenced by a gateway exists

Added Canary releases based on routing rules: Implements canary releases through scope configurations (extended CRDs) in two modes: Integrates with Microservices Engine (MSE) for canary releases. [Discontinued]

• Selector mode: Routes traffic to specific pods based on label matching.

• RollingUpdate mode: Applies routing rules to pods in batches.

Added Virtual service delegates: Manages routing rules at a finer granularity, reducing the risk of routing changes.

Added Gzip-based data compression: Compresses HTTP responses at the ingress gateway, reducing response time and traffic usage.

Added WebAssembly (Wasm) extension: Extends the data plane with custom functionality using Wasm and OCI Registry as Storage (ORAS).

Added DNS proxy: Transparently intercepts DNS queries from applications and resolves them using Kubernetes services and service entries. Improves performance and availability. Enable through the ASM console or Alibaba Cloud CLI.

Improved Ingress gateway kernel parameters: Modifiable kernel parameters for performance tuning. See CRD fields for an ASM gateway.

Added Protection for API server and CLB configurations to prevent accidental modification or deletion.

Improved Unified sidecar proxy injection settings across data-plane clusters.

Added Istio 1.8.3 support. ASM is available in 12 regions.

Added Service-linked role for ASM: Manages the service-linked role required by ASM.

Added Registered external Kubernetes clusters: Manages applications in external Kubernetes clusters added to ASM.

Added ACK Serverless cluster management: Manages applications in ACK Serverless clusters.

Added ECI pod management: Manages applications in Elastic Container Instance (ECI) pods on virtual nodes.

Added Custom ingress gateways through CRD definitions, with TLS pass-through and Secret Discovery Service (SDS) support.

Added Consul integration: Migrates microservices in Consul service registries to ASM.

Added ORAS for Wasm-based extension: Simplifies WebAssembly-based ASM instance extension using OCI Registry as Storage (ORAS).

Added Two new regions: China (Chengdu) on the China site (aliyun.com) and US (Virginia) on the international site (alibabacloud.com).

Added One-click enablement for access log collection, Managed Service for Prometheus, and Mesh Topology.

Added HTTP/1.0 support: Enables HTTP/1.0 for backward compatibility with legacy systems. By default, Envoy requires HTTP/1.1 or HTTP/2.0.

Improved Ingress gateway definition and configuration: Streamlined the ingress gateway definition, configuration, and version update process. Supports nodeSelector configuration and standardized CLB annotations.

Improved Envoy filter verification.

Added Istio 1.7.5 support. ASM is available on the international site (alibabacloud.com).

Added Mesh Topology: A GUI for observing service mesh instance status.

Added Hot update of data planes (Beta): Updates the data plane without interrupting services or affecting applications.

Added Istio CNI plug-in for ASM instances with Istio 1.7 or later: Replaces the istio-init container without elevated privileges. [Phased out] Conflicts with other CNI plug-ins; under re-evaluation.

Added Multiple sidecar proxy injection methods: Supports namespace-wide injection, pod annotation-based injection, and selective injection using alwaysInjectSelector or neverInjectSelector. Requires Istio 1.6.8.19 or later.

Added Kubernetes 1.18 support on data planes. Requires Istio 1.6.8.19 or later.

Added Istio 1.6.8 support. In addition to dedicated and managed Kubernetes clusters, registered external clusters, ECI instances, and Elastic Compute Service (ECS) instances, ASM now supports ACK Serverless clusters and ACK clusters deployed on elastic container instances.

Added Telemetry V2 Mixerless: Collects telemetry data without Mixer. Automatically adjusts traffic to workloads based on collected metrics.

Added Mesh diagnostics: Diagnoses ASM instances based on data-plane versions, service ports, application labels, destination addresses, and virtual service conflicts.

Added Cluster domain configuration: Specifies a cluster domain when creating an ASM instance. Default: cluster.local. Only clusters sharing the same domain can join the instance.

Added ACK Serverless cluster support on ECI: Throttles and manages traffic for Elastic Container Instance (ECI) workloads centrally.

Added Service Mesh (ASM) is available for commercial use as a free service. Pay only for associated services such as ACK, CLB, and Simple Log Service. Initial regions: China (Beijing), China (Hangzhou), China (Zhangjiakou), China (Shanghai), China (Shenzhen), Indonesia (Jakarta), and Germany (Frankfurt). Key capabilities:

• Centralized management mode

• Centralized traffic throttling

• Managed control-plane components

• Hybrid cloud, multi-cloud, multi-cluster, and non-containerized application migration support

Added Registered external cluster management: Manages applications in external Kubernetes clusters registered in the ACK console.

Added Tracing data export: Exports tracing data to Managed Service for OpenTelemetry or a Zipkin-compatible system.